CVE-2026-43073: Linux Kernel Privilege Escalation Flaw

CVE-2026-43073 Overview

CVE-2026-43073 addresses a Linux kernel issue on x86-64 architectures involving the misleadingly named __copy_user_nocache() function. The function is neither a standard non-cached copy nor strictly a user-space copy. It is a specialty memory copy routine that uses non-temporal stores for the destination and provides exception handling for both source and destination accesses. Several in-tree drivers misused the user-copy variant, complete with STAC/CLAC instructions, to perform kernel-to-kernel copies purely as a performance optimization. The kernel maintainers renamed the function and adjusted its prototype to reduce misuse. The fix also corrects the Non-Transparent Bridge (NTB) code, which improperly invoked the user-copy interface for what was actually a kernel copy.

Critical Impact

Misuse of the user-copy variant of __copy_user_nocache() enabled kernel paths to toggle SMAP (STAC/CLAC) without legitimate user-space access, weakening privilege boundary enforcement in affected drivers.

Affected Products

• Linux kernel x86-64 (multiple stable branches receiving the rename and NTB fix)
• Drivers using __copy_user_nocache() including the NTB subsystem
• Stable trees referenced by commits 14b9194, c6d4e05, d187a86, d993e17, and efea91a

Discovery Timeline

• 2026-05-05 - CVE-2026-43073 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-43073

Vulnerability Analysis

The __copy_user_nocache() function on x86-64 implements a memory copy that issues non-temporal stores to the destination while leaving source loads cached. It includes exception-handler fixups for faults on either operand, which historically allowed it to back user-space access sequences. The original use case targeted persistent-memory destinations that required non-temporal stores to surface machine-check exceptions synchronously. Over time, callers diverged. Some drivers used it as designed, copying from user space into a non-cached kernel buffer. Other drivers invoked the user-facing variant solely for the non-temporal store behavior, wrapping calls with STAC/CLAC even when no user pointer was involved. The Non-Transparent Bridge (NTB) driver was one such caller, executing STAC/CLAC for a copy that never crossed the user-kernel boundary.

Root Cause

The root cause is a naming and API design defect. The function name implied a user, non-cached copy, but the routine implemented neither in the conventional sense. The ambiguous interface invited callers to enable user-mode access permissions through Supervisor Mode Access Prevention (SMAP) toggles without any actual user-space dereference. The size argument was also silently truncated below size_t width.

Attack Vector

No network or local attack vector is described in the upstream commit message. The change is a defensive cleanup. Risk arises indirectly from drivers that disable SMAP through STAC while operating only on kernel addresses, broadening the window during which a concurrent kernel bug could be leveraged to access user pages without protection. The vulnerability has no known public exploit, and the EPSS data places exploitation likelihood at the low end.

The upstream patch series renames the function, updates the prototype to accept a non-user pointer when the caller has performed proper conversion, widens the size argument to full size_t, and converts the NTB driver to the sanely named kernel variant. See the Linux Kernel Commit 14b9194 for the rename and the Linux Kernel Commit efea91a for additional fixes.

Detection Methods for CVE-2026-43073

Indicators of Compromise

• No file-based or network indicators are associated with this kernel cleanup. Detection focuses on build artifacts and runtime kernel version data.
• Presence of unpatched kernel images on x86-64 hosts that still expose the legacy __copy_user_nocache() symbol to in-tree modules.

Detection Strategies

• Inventory running kernel versions across x86-64 fleets and compare against the fixed stable releases referenced by the upstream commits.
• Audit out-of-tree drivers for direct calls to __copy_user_nocache() or surrounding STAC/CLAC sequences that lack a corresponding copy_from_user/copy_to_user operation.
• Use kallsyms and module symbol inspection to identify drivers binding to the deprecated symbol.

Monitoring Recommendations

• Track Linux distribution security advisories for backports of commits 14b9194, c6d4e05, d187a86, d993e17, and efea91a.
• Monitor kernel build pipelines for warnings introduced by the renamed prototype, which surface callers that need updates.
• Log loaded kernel modules and flag deployments of NTB drivers built against pre-patch headers.

How to Mitigate CVE-2026-43073

Immediate Actions Required

• Apply the upstream rename and NTB fix series to all x86-64 kernel builds derived from affected stable trees.
• Review any out-of-tree drivers that call the legacy __copy_user_nocache() symbol and migrate them to the renamed kernel-copy interface.
• Validate that drivers using non-temporal stores are not toggling SMAP when no user pointer is involved.

Patch Information

The fix is delivered through five upstream commits in the Linux stable tree: Linux Kernel Commit 14b9194, Linux Kernel Commit c6d4e05, Linux Kernel Commit d187a86, Linux Kernel Commit d993e17, and Linux Kernel Commit efea91a. Distribution maintainers should backport the full series rather than individual commits to avoid prototype mismatches.

Workarounds

• No runtime workaround is documented. The defect is structural and requires source-level changes.
• Where patching is delayed, restrict loading of NTB and other drivers that exercised the misused interface until the kernel is updated.
• Rebuild any third-party kernel modules against patched headers to ensure callers conform to the renamed prototype.

# Verify running kernel version and inspect for the legacy symbol
uname -r
grep -E 'copy_user_nocache' /proc/kallsyms
# List loaded NTB modules that may require rebuild after patching
lsmod | grep -i ntb